How to enumerate a user's security group membership using Visual Basic or Visual Basic Script (301916)
The information in this article applies to:
- Microsoft Active Directory Services Interface, System Component
- Microsoft Active Directory Services Interface, Microsoft Active Directory Client
This article was previously published under Q301916 SUMMARY
This article describes a method for enumerating the security groups that a user is a member of by using Microsoft Visual Basic or Microsoft Visual Basic Script (VBScript). The method described here does not enumerate the local security groups and will not work across foreign forests.
MORE INFORMATION
The tokenGroups property of an Active Directory (AD) user object contains the binary security identifiers (SIDs) of all of the security groups that a user is a member of. This property is a constructed attribute, which means that the property is created on the client by the provider and not stored as data in the AD.
An alternate approach is to read the MemberOf attribute, which is an enumeration of the immediate groups, including both security and distribution groups. The MemberOf attribute does not enumerate the nested groups. The best approach for performing security group enumeration is to go through the security infrastructure and use the security APIs, but these APIs cannot be called directly from Visual Basic or VBScript. For more information on these alternate solutions, see the "References" section of this article.
Converting SIDs from binary to a human-readable form
The SID for the group is stored in its binary form in the TokenGroups attribute. This form is not human-readable nor can it be used to bind to the group object. The SID must be converted if you want to use it to bind to an object.
The IADsSID object that is exported by ADsSecurity.dll can be used in a Visual Basic program to convert the binary SID into a Security Account Manager (SAM) account name or a Lightweight Directory Access Protocol (LDAP) DN. Unfortunately, the IADsSID object cannot be used from a Visual Basic Script. "Using IADsSID from Visual Basic to Resolve a Binary SID into a String," which follows this section, contains a Visual Basic code snippet that uses the IADsSID object to convert the binary SID into a string.
A Visual Basic Script solution involves the use of the Array Converter sample (see the "References" section). The ADs.ArrayConvert object can be used to convert the binary SID into a hexstring. From this hexstring, an LDAP SID bind string can be created. By using the SID bind string, you can obtain the group object from the AD. The section "Using ADs.ArrayConvert from Visual Basic Script to Build an SID Bind String," following in this article, contains a Visual Basic Script example that illustrates how to use the ADs.ArrayConvert object to create an SID bind string.
Using IADsSID from Visual Basic to resolve a binary SID into a string
ADsSecurity.dll must be registered on the client through the use of Regsvr32 before you cans use the IADsSID object. In the Visual Basic project references, the ADsSecurity 2.5 Type Library and the Active DS Type Library must be selected.
Dim oSid As New ADsSID
Dim oUsr As IADsUser
Dim oGrp As IADs
Set oUsr = GetObject("LDAP_ADsPATH_TO_A_ACTIVE_DIRECTORY_OBJECT")
oUsr.GetInfoEx Array("TokenGroups"), 0
grps = oUsr.Get("tokenGroups")
For Each grp In grps
oSid.SetAs ADS_SID_RAW, grp
Debug.Print oSid.GetAs(ADS_SID_SAM)
Next grp
Using ADs.ArrayConvert from Visual Basic Script to build an SID bind string
In order for this code snippet to function correctly, the ADS.dll must be registered on the client (see "References").
set args = WScript.Arguments
if ( args.Count < 1 ) then
WScript.Echo "ERROR: Wrong number of arguments."
WScript.Echo "USAGE: tokengroups LDAP_ADsPath"
WScript.Echo "WHERE: LDAP_ADsPath is the LDAP ADsPath of a user object in the domain"
WScript.Echo
WScript.Echo "NOTE: This script requires that ADs.DLL be registered on the client"
WScript.Echo "In order to convert the binary SID into a form that can be used in a "
WScript.Echo "bind string. See KB Q250344"
WScript.Echo
WScript.quit
end if
set obj = GetObject( args(0) )
obj.GetInfoEx ARRAY("tokengroups"),0
grps = obj.Get("tokengroups")
set oCvrt = CreateObject("ADs.ArrayConvert")
wscript.echo "Created sidobj"
for k = lbound(grps) to ubound(grps)
b = grps(k)
hexSid = oCvrt.CvOctetStr2vHexStr( b )
bindSid = "LDAP://<SID=" & hexSid & ">"
WScript.Echo bindSid
set oVal = GetObject(bindSid)
WScript.Echo oVal.Get("cn")
set oVal = Nothing
next
REFERENCES
For more information on groups in Windows 2000, see the following MSDN Library topic:
For more information about ADS.dll and ARRAYCONVERT, click the following article number to view the article in the Microsoft Knowledge Base:
250344
ARRAYCONVERT.EXE Variant conversion functions
Adssecurity.dll is part of the Active Directory Service Interfaces (ADSI) 2.5 Resource Kit. To download the ADSI 2.5 Resource kit, visit the following Microsoft Web site.
Use Regsvr32 to register ADsSecurity.dll.
For more information about using the memberOf attribute, click the following article number to view the article in the Microsoft Knowledge Base:
220043
How to find distribution list membership for a given recipient
For more information about the Security API, click the following article number to view the article in the Microsoft Knowledge Base:
118626
How to determine whether a thread is running in user context of local administrator account
See also the following MSDN Library topics:
Modification Type: | Major | Last Reviewed: | 5/26/2005 |
---|
Keywords: | kbDSWADSI2003Swept kbhowto KB301916 |
---|
|